redline | f3dfc24f465166d35c26f23c30d4d9da5ecf5fdab39dbb01058470e22ab17886

General

Target

83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
Size

2.2MB
MD5

bda80c569715cb4e427f9408b389238a
SHA1

c1982d58ce154872aced5460cd88b106dfeaa6f7
SHA256

83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4
SHA512

ee31887687504525cfe9b0ac9e079a396ba92819bdfca2eb5259bea8b900a762cf58630cd19dc2fefbffa5253a30344691438cd3d344086ef337247f2247411d
SSDEEP

49152:V5Oxg/TFlCpM/CWKNdDgQbHbJwzF00nVLqk6FzreoZo:V5FFlCi/n4mc7M00nVGkgzrnZo

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.210.137.6:47909

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4004-19-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	123.exe
4928	321.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 4004	3800	123.exe	91
PID 4928 set thread context of 920	4928	321.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3308	3800	WerFault.exe	86
3024	4928	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4748	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3800	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	86
PID 4068 wrote to memory of 3800	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	86
PID 4068 wrote to memory of 3800	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	86
PID 4068 wrote to memory of 4928	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	89
PID 4068 wrote to memory of 4928	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	89
PID 4068 wrote to memory of 4928	4068	83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe	89
PID 3800 wrote to memory of 4004	3800	123.exe	91
PID 3800 wrote to memory of 4004	3800	123.exe	91
PID 3800 wrote to memory of 4004	3800	123.exe	91
PID 3800 wrote to memory of 4004	3800	123.exe	91
PID 3800 wrote to memory of 4004	3800	123.exe	91
PID 4928 wrote to memory of 920	4928	321.exe	95
PID 4928 wrote to memory of 920	4928	321.exe	95
PID 4928 wrote to memory of 920	4928	321.exe	95
PID 4928 wrote to memory of 920	4928	321.exe	95
PID 4928 wrote to memory of 920	4928	321.exe	95
PID 920 wrote to memory of 4748	920	vbc.exe	100
PID 920 wrote to memory of 4748	920	vbc.exe	100
PID 920 wrote to memory of 4748	920	vbc.exe	100

C:\Users\Admin\AppData\Local\Temp\83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
"C:\Users\Admin\AppData\Local\Temp\83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\Temp\123.exe
  "C:\Windows\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 56
    3⤵
    - Program crash
    PID:3308
- C:\Windows\Temp\321.exe
  "C:\Windows\Temp\321.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 296
    3⤵
    - Program crash
    PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 3800
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4928 -ip 4928
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\123.exe

Filesize
515KB

MD5
3fa22b0476827d769e2af472e068dcf2

SHA1
80088e35ee337f66ced69521bacd4045d723127b

SHA256
e640c00779f3df1dd107495414e3498dc347a12fc61142faecd7aba7aa5918d1

SHA512
500c180fea4c68af86284b0f930802f361f827454eb1edc85c02c90e8c74fe937212adcd3c1aff807b841d9f0a92ad4ba8cfdc8fc1cf6fd1e6f5ba15ef75a6f3

Download Submit
C:\Windows\Temp\321.exe

Filesize
2.9MB

MD5
a774532aea9d069f6fd16a9c84ff66ac

SHA1
c45a9a43ea5810f9b1e2522a9657c43e795b01dc

SHA256
1dcf61a876f7ffd7fd19fe9b81f614f0b0daf2ca80d81f16275680a7e2dae9c6

SHA512
ee09e845d6b889b0fac803468e2f672a1a187abcbc77652e07dcc8301fb05cca25e8121411be11b6e425e36ad851a586724da2e733516f9266493441e804b32c

Download Submit
memory/920-32-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/920-44-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/3800-18-0x000000000008D000-0x000000000008E000-memory.dmp

Filesize
4KB

Download
memory/4004-24-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4004-26-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/4004-27-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4004-28-0x0000000005400000-0x000000000543C000-memory.dmp

Filesize
240KB

Download
memory/4004-29-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-30-0x0000000005550000-0x000000000559C000-memory.dmp

Filesize
304KB

Download
memory/4004-25-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/4004-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4004-45-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4004-46-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-31-0x000000000106C000-0x000000000106D000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing